Introduction

HitmanPro's CryptoGuard is a universal solution against crypto-ransomware.
This type of ransomware encrypts your personal files and demands a ransom fee to be paid in order to regain access to your files.

When your PC has been infected with crypto ransomware, all your documents, videos, images and other personal files are encrypted.
This encryption prevents you from opening them, whether they are on your pc, connected drive or business network.
You see a message stating you need to pay a certain amount of money (the ransom fee) to gain access to your personal files again.
Payment typically has to be done via Bitcoins.

So how do you prevent your files from being held hostage?

Since malware authors are very creative with code packers and polymorphic engines we see that new or zero-day versions of ransomware cannot be timely
detected using just antivirus signatures. We've also seen ransomware use code injection and hollow process techniques to hide inside legitimate processes.
Think of explorer.exe or winword.exe encrypting your documents and files.
It is a matter of time before crypto-ransomware like CryptoLocker will adopt these methods to bypass static group policies-based preventions.

HitmanPro.Alert, now with CryptoGuard

HitmanPro.Alert's CryptoGuard technology does not try to detect the malware based on its static properties, but it detects crypto-ransomware based on its file
system behavior.
If suspicious behavior is detected, it is then blocked (the encryption of the files) and the malware is neutralized, without the need for any user intervention.
The benefit of this solution is, that it is much harder for a malware-author to radically change its behaviour (taking the files hostage) than it is to change
its static properties, i.e. where it is located and how the physical code is structured.
CryptoGuard offers a more universal and future proof solution for both workstations and servers.

CryptoGuard works silently in the background at the file system level, keeping track of remote computers and local processes that are modifying your documents and other files.

After installing HitmanPro.Alert, CryptoGuard is automatically enabled to protect your data.
If you want to change any settings regarding CryptoGuard, follow these steps:

Open HitmanPro.Alert

Click on the gear icon on the top right corner

Select Advanced interface

Click on the orange tile called Risk Reduction

Select CryptoGuard

What do you see when your files are under attack?

On workstations, when CryptoGuard intercepts an attack on your personal files, it displays an Alert message as shown below:

When the above alert is displayed, the malicious process is neutralized. It can no longer harm your files.

To remove the malicious code from your computer you click on the Scan with HitmanPro button which will automatically download the
HitmanPro anti-malware application (if not already installed on your computer).

HitmanPro will scan your computer for malicious programs and allows you to remove them.

On servers, when CryptoGuard intercepts an attack on the shared files, it writes a warning (level: Error) in the Windows Event Log to alert the system administrator:

Demonstration video

The following video illustrates a CryptoWall and CTB-Locker ransomware attack on a workstation and how CryptoGuard will protect your files.

Compatibility

CryptoGuard works at the file system level and does not conflict with full disk encryption software like BitLocker, Sophos SafeGuard or TrueCrypt.